PCI DSS 4.0: how to comply with the latest changes
PCI DSS 4.0: how to comply with the latest changes
22 March 2024 | Published by John Clark
Running a business brings some big rewards but also comes with many responsibilities, from managing taxes to invoicing. One of these obligations is being compliant with the required payment regulations and standards, which is crucial for protecting your business and customer trust.
The Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0), the latest update to card payment security standards, introduces a new wave of requirements that businesses must meet before the deadline.
In this guide, we'll simplify what these updates mean to your business and offer insights into how you can make sure you’re compliant and ready come the 31st of March 2024.
What is PCI DSS?
Before diving into the specifics of PCI DSS 4.0 phase 1 compliance, let’s rewind and break down what PCI DSS is.
PCI DSS stands for Payment Card Industry Data Security Standard and is a set of 12 core security standards created to protect sensitive cardholder data. The first version of PCI DSS was launched in 2004 by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is made up of representatives from major credit card companies, including Visa, Mastercard, and American Express.
PCI DSS aims to reduce the risk of data breaches and fraud in payment card transactions, and it applies to all businesses that process card payments or store card data. Essentially, if you process card payments, you have to be compliant with the PCI DSS standards; otherwise, you could be fined and put your customers’ card information at risk.
What is PCI DSS 4.0?
PCI DSS 4.0 was officially published in March 2022 and represents the latest iteration of security standards, introducing 63 new changes to address evolving security threats and technological advancements.
Some of the changes were brought in with immediate effect, but most businesses have until the 31st of March 2024 to comply with the first phase of 13 new requirements. A second phase gives businesses until 31st March 2025 to meet the rest of the requirements.
The last version of PCI DSS was v3.2.1, which will be retired at the end of March 2024 to allow v4.0 to come into full effect.
What are the main changes to PCI DSS 4.0?
So, to get your business compliant with phase one of PCI DSS 4.0, you’ll need to know what’s new. We’ve pulled together a summary of some of the key changes, and John Clark, Product Manager here at takepayments, talks us through them:
1. Terminology
Firstly, v4.0 redefines some of the terminology used within the standards. For example, the PCI DSS Summary of Changes states that ‘cardholder data’ has been updated to ‘account data’ to better align with today’s usage and intent.
“PCI DSS was initially launched in 2004, and things have changed a lot since then. Technology has come a long way, and so have the ways that people like to pay. Things like contactless, biometric payments, and Buy Now, Pay Later didn’t exist in the first iteration. So, the security council had to recognise the advancements and accommodate for them – as well as future-proof the standard for new developments,” says John. “Amending the terminology is a sign of the PCI DSS accounting for the latest payment processes, methods, and security architectures.”
2. Access and authentication
Multi-factor authentication (MFA) is a core security protocol that helps reduce card payment fraud and v4.0 states that MFA must be rolled out across all cardholder data environments (CDE). CDE refers to any person, process, or technology used to store, process, or transmit cardholder or authentication data.
“Making MFA a mandatory security protocol across all accounts in the CDE will help to strengthen any gaps where vulnerabilities could occur, helping to reduce security risks,” says John.
The PCI DSS v4.0 has also changed password requirements, requiring all password counts to be upped from seven to twelve letters. They must also include a number, upper and lower case letters, and a special character.
“Lengthier and more complex passwords may cause some friction for user experience, but they’ll be much more difficult for scammers to gain access to – which is the aim of the PCI DSS standard.”
3. Compliance flexibility
While many areas of the PCI DSS have been tightened to reduce security gaps, organisations have more flexibility in v4.0 around how they want to comply. Businesses can take one of two approaches to implement the standard:
- Defined approach – Organisations can implement security measures to meet the designated requirements, and an assessor follows defined testing procedures to identify if the business meets the requirements.
- Customised approach – Organisations can choose which security measures to implement, provided they comply with the necessary objective. With this approach, an Internal Security Assessor (ISA) or a Qualified Security Assessor (QSA) must approve the measures.
“Not all businesses operate the same, so giving them a choice on how they want to approach the new standard can help them to apply the new measures in a way that best suits them,” states John. “Businesses are offered even more flexibility in that they can use a mixture of both the defined and customised approach if needed.”
“This flexibility in how businesses approach compliance is an overarching theme to the latest PCI DSS version. V4.0 moves away from a strict checklist assessment to encouraging organisations to establish procedures that focus on long-term compliance,” explains John. “Card security has never been more important, and making PCI DSS compliance a cornerstone of everyday processing puts businesses on the path to establishing it as a prerequisite rather than an afterthought.”
How to prepare your business for phase one of PCI DSS 4.0
1. Identify your merchant level
The PCI DSS outlines four different merchant levels that are defined by the total amount of transactions that a business processes each year. Each business’s level of compliance is dictated by which merchant level they fall into.
The merchant levels are:
| Mastercard | Visa | American Express (AmEx) | Discover Global Network (DGN) | JCB | |
| Level 1 | Over 6 million transactions | Over 6 million transactions | Over 2.5 million transactions | Over 6 million transactions | Over 1 million transactions |
|
Level 2 |
1-6 million transactions | 1-6 million transactions | 50,000-2 million transactions | 1-6 million transactions | Less than 1 million |
| Level 3 | 20,000-1 million e-commerce transactions | 20,000-1 million e-commerce transactions | 10,000-50,000 transactions | Up to 1 million transactions of any type | - |
| Level 4 | Less than 20,000 e-commerce transactions OR up to 1 million total transactions | Less than 20,000 e-commerce transactions OR up to 1 million total transactions | Less than 10,000 transactions | - | - |
Compliance varies with each merchant level, but those in Level 1 will have the strictest regulations to comply with. Merchants that have been the subject of data breaches can also be categorised as Level 1, despite meeting the transaction threshold requirements.
Some of the regulations for Level 1 compliance include:
- Having a vulnerability scan conducted each quarter by PCI-certified Approved Scanning Vendors (ASVs)
- Having an annual penetration test to spot vulnerabilities
- Having a report on Compliance by a QSA or ISA
- Having a PCI Attestation of Compliance by a QSA
2. Understand your current compliance
To know where you need to brush up to meet v4.0 regulations, you’ll need to conduct a gap analysis or audit. Large corporations and merchants in Level 1 must have a Compliance audit performed by a QSA or ISA. Smaller businesses, or those in Level 4, who accept card payments must complete a PCI Compliance Self-Assessment Questionnaire (SAQ).
The SAQ must be signed by a member of the business and submitted to the acquiring bank yearly.
3. Seek third-party guidance
Level 1 businesses may have in-house teams that look after their PCI DSS compliance process, but those in Level 4 may benefit from third-party help to make sure they’re following all the right regulations.
“At takepayments, our dedicated Security+ offering is on-hand to ensure merchants can receive the support they need to meet PCI DSS 4.0 compliance,” explains John.
“Our team of experts understand how the latest version of the standards affects smaller businesses and the unique challenges that they face, so they can provide tailored guidance in line with the latest requirements. With Security+, we make the transition smooth and take care of it all so merchants can focus on the day-to-day running of their businesses.”
What happens if businesses aren’t compliant by 31st March 2024?
While the PCI Security Standards Council sets the PCI DSS, the Council members enforce the regulations. These are American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
And it’s these acquiring banks that impose strict fines on merchants if they fail to comply.
Fines vary depending on the acquirer, but businesses could receive a hefty fine of up to $100,000 (roughly £80,000) each month until they become compliant. The amount of customers and transactions a business processes and the severity of the non-compliance will also impact the penalty.
“Along with a PCI DSS fine, merchants may also be penalised by their acquirer for being non-compliant and face monthly non-compliance fees,” explains John. “ Here at takepayments, we go through this process with you as part of our Security+ offering.”
“However, the biggest threat to businesses if they fail to meet PCI DSS regulations is that they could be vulnerable to a data breach, and their customers’ sensitive information won’t be protected should they suffer a card data loss. And this could cause hugely detrimental damage, far greater than any fines.”
How can small businesses find out what their compliance requirements are?
“Small businesses should contact their acquirer to find out their standards for compliance, as each acquirer may set different requirements,” says John.
“Merchants don’t have to pay to transition to PCI DSS 4.0, as they can choose to make changes to follow the guidelines themselves. However, hiring a third-party professional or service provider to consult can help businesses to comply correctly. Our Security+ offering gives guidance to ensure that merchants adhere to the necessary standards and could hugely minimise the risk of non-compliance.”
How will the PCI DSS 4.0 update affect card payments after 31st March 2024?
“The core aim of the PCI DSS is to protect customer card data from unauthorised use or falling into the wrong hands, so businesses adhering to the latest 4.0 regulations could benefit from more secure and stronger security measures when processing card payments,” John says.
It’s estimated that a cyber attack happens on average every 39 seconds, and there were over 364 million reports of data breaches or leaks in 2023. With cybercrime becoming one of the most important global risks to businesses, implementing the proper safeguards to keep customer data safe has never been more pivotal.
The proper storage of your customer’s data isn’t the only benefit of abiding by PCI DSS 4.0. Data breaches can be costly to rectify, which can be a massive hit for small businesses. Plus, it can affect a merchant’s reputation and potentially damage consumer confidence.
“Security+ not only advises on PCI DSS requirements, but it also provides guidance on how merchants can protect against active security threats. We send out regular updates on how small businesses can stay safe and what precautions they can take to limit the chances of cyber attacks causing long-lasting damage.”
Get PCI DSS 4.0 compliant with takepayments
With our Security+ package, we can support you with your PCI compliance and help you understand how to keep your payments safe and secure. Get in contact with us today to help keep your business and customers protected.
Or, you can find the latest card machines or POS system to process transactions safely and securely.
